UPDATE 2012-04-05

I just received OTA 4.0.4 update notification from my rooted nexus s

DISCLAIMER

Rooting a device requires RESETTING the phone. This will erase ALL EXISTING DATA on your phone’s memory, SD card and usb storage!

Rooting also can brick your phone and void your [...]]]> Tested device: GRK39F I9023
Android vers: 2.3.6

UPDATE 2012-04-05

I just received OTA 4.0.4 update notification from my rooted nexus s

DISCLAIMER

Rooting a device requires RESETTING the phone. This will erase ALL EXISTING DATA on your phone’s memory, SD card and usb storage!

Rooting also can brick your phone and void your warranty!

Make sure you backup everything before continue, you are warned.

Any downloads here is get from some android forum, I am not sure it is virus free.

Take your own risk. I’m not responsible for any loss following any steps below.

The steps here DO NOT FLASH CUSTOM RECOVERY, so it should not avoid google’s OTA update.

UNLOCK BOOTLOADER

1. Download adb4.zip and extract adb folder to c:\
2. Download and extract Nexus_S_Drivers_x86_%26_x64.zip to any folder
3. Download and copy su-2.3.6.1-ef-signed.zip to the root of the phone’s sd card
4. Setting / Application settings / Development

   Click USB debugging

5. Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
6. Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
7. Now connect the usb cable to the phone and the PC
8. When installing the driver to PC, select the folder where you extracted the Nexus_S_Drivers_x86_%26_x64.rar, install the driver to your PC.
9. double click the c:\adb\install-unlock.bat
10. Select ‘Yes’ on your phone then press the power button once.
11. After reboot, then select ‘Reboot’ and press the power button once again.

BACKUP NAND

Before rooting the phone, it is better to backup the nand first.

1. Disconnect the usb cable
2. Setting / Application settings / Development

   Click USB debugging

3. Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
4. Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
5. Now connect the usb cable to the phone and the PC
6. Double click the ‘c:\adb\install-fastboot-windows.bat’.
7. Select ‘Backup and restore’, then select ‘Backup’
8. After Backup, select ‘Reboot System Now’
9. Connect the phone to PC using usb cable. Backup the sdcard:/clockworkmod/backup folder to your PC.

ROOT THE PHONE

1. Disconnect the usb cable
2. Setting / Application settings / Development

   Click USB debugging

3. Switch off the phone. Keep pressing the volume up button without releasing it, at the same time switch on the phone.
4. Use volume button and navigate to the ‘Reboot Bootloader’ option, then press the power button once.
5. Now connect the usb cable to the phone and the PC
6. Double click the ‘c:\adb\install-fastboot-windows.bat’.
7. Select ‘Install zip from sdcard’
8. Select ‘Choose zip from sdcard’
9. Select the ‘su-2.3.6.1-ef-signed.zip’ from the sdcard
10. After installed the su package, select ‘Reboot System Now’

Reference

Mobile01 – I9023 ROOT教學

1. Modding series 7 – Setup OpenVPN Server
2. Modding series 21 – Install FreeRadius Server
3. Modding series 22 – Install FreeRadius plugin for OpenVPN

I’m using daloRadius as accounting and reporting tools here. The management function is not used (except NAS client part).

Install daloRadius

Download daloRadius 0.9.9 package

# cd /volume1/web
# wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
# tar xvzf daloradius-0.9-9.tar.gz
# rm daloradius-0.9-9.tar.gz
# chown -R nobody:nobody /volume1/web/daloradius-0.9-9
# chown 644 /volume1/web/daloradius-0.9-9/library/daloradius.conf.php


Edit /volume1/web/daloradius-0.9-9/library/daloradius.conf.php, update the values as below


$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radpass';
$configValues['CONFIG_DB_NAME'] = 'radiusdb';
$configValues['CONFIG_FILE_RADIUS_PROXY'] = '/opt/etc/raddb/proxy.conf';
$configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/opt/var/daloradius';
$configValues['CONFIG_LOG_FILE'] = '/opt/var/log/daloradius.log';


Follow up


# mkdir /opt/var/daloradius
# chown nobody:nobody /opt/var/daloradius
# touch /opt/var/log/daloradius.log
# chown nobody:nobody /opt/var/log/daloradius.log


Create and import the database


# /usr/syno/mysql/bin/mysql -u root -p

> CREATE DATABASE radiusdb;
> GRANT ALL ON radiusdb.* TO radius@localhost IDENTIFIED BY "radpass";
> GRANT ALL ON radiusdb.* TO radius@127.0.0.1 IDENTIFIED BY "radpass";
> exit;

# cd /volume1/web/daloradius-0.9-9/contrib/db
# /usr/syno/mysql/bin/mysql -u radius -p radiusdb < fr2-mysql-daloradius-and-freeradius.sql
# password: radpass


Install PHP extension

Install php-pear and php-pear-db

# ipkg install php-pear
# pear config-set php_bin /usr/bin/php
# cd /opt/share/pear
# wget http://download.pear.php.net/package/DB-1.7.14.tgz
# mv DB-1.7.14.tgz DB.tgz
# tar xvzf DB.tgz
# chown -R nobody:nobody /opt/share/pear


Edit php configuration

# vi /usr/syno/etc/php.ini

include_path = .:/php/includes:/opt/share/pear:/opt/share/pear/DB

# vi /usr/syno/etc/php/user-setting.ini

append /opt/share/pear:/opt/share/pear/DB to open_basedir

Install php-gd

# ipkg install php-gd

Download and install otp server

# wget http://motp.sourceforge.net/bash/otpverify.sh Install necessary library

# ipkg install findutils # ipkg install md5deep # ipkg install bash Edit otpverify.sh

# vi [...]]]> MOTP stands for mobile one time password which provides one time password services.

Download and install otp server

1. Login to DS as root
2. mkdir -p /opt/usr/local/bin
3. cd /opt/usr/local/bin
4. Download otp server script

   # wget http://motp.sourceforge.net/bash/otpverify.sh

5. Install necessary library

   # ipkg install findutils
   # ipkg install md5deep
   # ipkg install bash

6. Edit otpverify.sh

   # vi /opt/usr/local/bin/otpverify.sh

   Changes highlighted in red.

   
   #!/opt/bin/bash
   #
   # Mobile One Time Passwords (Mobile-OTP) for Java 2 Micro Edition, J2ME
   # written by Matthias Straub, Heilbronn, Germany, 2003
   # (c) 2003 by Matthias Straub
   #
   # Version 1.05a
   #
   # This program is free software; you can redistribute it and/or
   # modify it under the terms of the GNU Library General Public
   # License as published by the Free Software Foundation; either
   # version 2 of the License, or (at your option) any later version.
   #
   # This software is distributed in the hope that it will be useful,
   # but WITHOUT ANY WARRANTY; without even the implied warranty of
   # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   # Library General Public License for more details.
   #
   # arguments:  $1 $2 $3 $4 $5
   # $1 - username
   # $2 - one-time-password that is to be checked
   # $3 - init-secred from token (to init token: #**#)
   # $4 - user PIN
   # $5 - time difference between token and server in 10s of seconds (360 = 1 hour)
   #
   # one-time-password must match md5(EPOCHTIME+SECRET+PIN)
   # 
   
   #
   # otpverify.sh version 1.04b, Feb. 2003
   # otpverify.sh version 1.04c, Nov. 2008
   #  changed line 1 to ksh because of problems with todays bash an sh
   # otpverify.sh version 1.05a, Jan. 2011
   #  changed back to bash and added in shopts line to ensure aliases handled
   #  correctly (bash is always available on any modern *nix unlike ksh)
   #
   
   PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/usr/local/bin:/opt/bin:/opt/sbin
   
   # ensure aliases are expanded by bash
   shopt -s expand_aliases
   
   if [ -e "`which md5 2>/dev/null`" ]
   then
   	alias checksum=md5
   	have_md5="true"
   fi
   if [ -e "`which md5sum 2>/dev/null`" ]
   then
   	alias checksum=md5sum
   	have_md5="true"
   fi
   
   
   alias checksum=md5deep
   have_md5="true"
   
   
   if [ $have_md5 != "true" ]
   then
   	echo "No md5 or md5sum available on server!"
   	exit 16
   fi
   
   function chop
   {
   	num=`echo -n "$1" | wc -c | sed 's/ //g' `
   	nummin1=`expr $num "-" 1`
   	echo -n "$1" | cut -b 1-$nummin1
   }
   
   if [ ! $# -eq 5 ] ; then
   echo "USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset"
   exit 14
   fi
   
   mkdir /opt/var/motp 2>/dev/null
   mkdir /opt/var/motp/cache 2>/dev/null
   mkdir /opt/var/motp/users 2>/dev/null
   chmod og-rxw /opt/var/motp 2>/dev/null || { echo "FAIL! Need write-access to /opt/var/motp"; exit 17; }
   chmod og-rxw /opt/var/motp/cache
   chmod og-rxw /opt/var/motp/users
   
   USERNAME=`echo -n "$1" | sed 's/[^0-9a-zA-Z._-]/X/g' `
   PASSWD=`echo -n "$2" | sed 's/[^0-9a-f]/0/g' `
   SECRET=`echo -n "$3" | sed 's/[^0-9a-f]/0/g' `
   PIN=`echo -n "$4" | sed 's/[^0-9]/0/g' `
   OFFSET=`echo -n "$5" | sed 's/[^0-9]/0/g' `
   EPOCHTIME=`date +%s` ; EPOCHTIME=`chop $EPOCHTIME`
   
   # delete old logins
   /opt/bin/find /opt/var/motp/cache -type f -cmin +5 | xargs rm 2>/dev/null
   
   if [ -e "/opt/var/motp/cache/$PASSWD" ]; then
   	echo "FAIL"
   	exit 15
   fi
   
   # account locked?
   if [ "`cat /opt/var/motp/users/$USERNAME 2>/dev/null`" == "8" ]; then
   	echo "FAIL"
   	exit 13
   fi
   
   I=0
   EPOCHTIME=`expr $EPOCHTIME - 18`
   EPOCHTIME=`expr $EPOCHTIME + $OFFSET`
   while [ $I -lt 36 ] ; do # 3 minutes before and after
   	OTP=`printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6`
   	if [ "$OTP" = "$PASSWD" ] ; then
   		/bin/touch /opt/var/motp/cache/$OTP || { echo "FAIL! Need write-access to /opt/var/motp" ; exit 17; }
   		echo "ACCEPT"
   		rm "/opt/var/motp/users/$USERNAME" 2>/dev/null
   		exit 0
   	fi
   	I=`expr $I + 1`
   	EPOCHTIME=`expr $EPOCHTIME + 1`
   done
   
   echo "FAIL"
   NUMFAILS=`cat "/opt/var/motp/users/$USERNAME" 2>/dev/null`
   if [ "$NUMFAILS" = "" ]; then
   	NUMFAILS=0
   fi
   NUMFAILS=`expr $NUMFAILS + 1`
   echo $NUMFAILS > "/opt/var/motp/users/$USERNAME"
   exit 11
   

   In case there is a newer version of this server script released in the future, here is the summary of changes:

   • line 1 should point to optware bash: /opt/bin/bash
   • The script will only looks for md5 and md5sum binary, however, we are using md5deep from optware instead. Add two lines to assign md5deep as checksum binary.
   • Add 10 to all error code, otherwise it will fail the FreeRadius server
   • Basically I’ve appended /opt to every path inside the script.
   • It need the find binary. We should use the binary provided by optware instead of using the system default binary.
7. # chmod 755 /opt/usr/local/bin/otpverify.sh

Download and setup Android motp client

Since I’ve an Android phone, I install the motp client to my phone.

1. Download the android motp client ‘Mobile-OTP’ from url below

   http://motp.sourceforge.net/Mobile-OTP.apk

2. Install the apk to the phone
3. Run the Mobile-OTP.
4. Input #**# and click ‘Calculate OTP’ button. An init-secret value will be generated. Copy the init-secret and paste it to somewhere, i.e. notepad.
5. Input 1234 and click ‘Calculate OTP’ button again. An one time password will be generated.
6. Now test the setup, SSH to the DiskStation as root and run the command as below:
   

   
# /opt/usr/local/bin/otpverify.sh testuser [one-time-password] [Init-secret] 1234 0


   If you run the command fast enough, the script should return “ACCEPT”. If you got a “FAIL”, repeats again by generating a new one-time-password and execute the command again couple times until you got “ACCEPT”. Make sure the Init-secret and One-time-password is input correctly.

FreeRadius changes

1. SSH to DS as root
2. # cd /opt/etc/raddb
3. # wget http://motp.sourceforge.net/dictionary.motp
4. Edit /opt/etc/raddb/dictionary, add following line to the end of the file

   $INCLUDE dictionary.motp

5. Although I don’t think this step is needed, but it is suggested by the official installation guide.
   # wget http://motp.sourceforge.net/execparams
6. Add a test user by editing /opt/etc/raddb/users file. Add following lines to the end of the file.
   

   
   testuser Auth-Type = Accept
       Exec-Program-Wait = "/opt/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} 123412341234 1234 0",
       Fall-Through = Yes,
       Reply-Message = "Hello, %{User-Name}"
   

   where 123412341234 is the init-secret and 1234 is the pin of the test user. Replace the value of init-secret with the one generated by the Android OTP client.

7. Generate a new One-time-password using the Android OTP client (input 1234 and click ‘Calculate OTP’ button), then test the freeradius setup by executing the command below:
   

   
# radtest testuser [one-time-password] localhost 0 [FreeRadius shared secret password]


   If success, you should got a response similar to below:

   
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=48, length=46
Reply-Message = "Hello, testuser "


Now my services like OpenVPN and Squid accept OTP login

Resources

• Mobile-OTP

1. Modding series 9 – Setup an OpenLDAP Server
2. Modding series 21 – Install FreeRadius Server and integrate with OpenLDAP Server

Setup FreeRadius to support EAP-PEAP-TLS

1. SSH to DS as root
2. Edit /opt/etc/raddb/radiusd.conf, add following line to the config file

   $INCLUDE ${confdir}/sites-enabled/

   
# vi /opt/etc/raddb/radiusd.conf

   # add sites-enabled to the config
   $INCLUDE ${confdir}/sites-enabled/

3. Edit /opt/etc/raddb/radiusd.conf again, looks for the authenticate section and then add mschap within the section.
   

   
   # vi /opt/etc/raddb/radiusd.conf
   
   authenticate {
    .
    .
    .
     # add mschap
     mschap
   }
   

   Looks for modules section and add three lines within modules section as below

   
   # vi /opt/etc/raddb/radiusd.conf
   
   modules {
    # add expiration, logintime and attr_filter modules
    $INCLUDE ${confdir}/modules/expiration
    $INCLUDE ${confdir}/modules/logintime
    $INCLUDE ${confdir}/modules/attr_filter
   
   }
   

4. Edit /opt/etc/raddb/eap.conf, change default_eap_type to peap.
   

   
   # vi /opt/etc/raddb/eap.conf
   
   .
   .
   default_eap_type = peap
   .
   .
   

5. Edit /opt/etc/raddb/sites-enabled/default, looks for authorize section and un-comment the ldap line.
   

   
   # vi /opt/etc/raddb/sites-enabled/default
   
   authorize {
   .
   .
   # un-comment the ldap
    ldap
   .
   .
   }
   

   Then looks for authenticate section and uncomment Auth-Type LDAP as well.

   
   # vi /opt/etc/raddb/sites-enabled/default
   
   authenticate {
   .
   .
   # un-comment the ldap
    Auth-Type LDAP{
        ldap
    }
   .
   .
   }
   

6. Edit /opt/etc/raddb/sites-enabled/inner-tunnel, looks for authorize section and un-comment the ldap line.
   

   
   # vi /opt/etc/raddb/sites-enabled/inner-tunnel
   
   authorize {
   .
   .
   # un-comment the ldap
    ldap
   .
   .
   }
   

   Then looks for authenticate section and uncomment Auth-Type LDAP as well.

   
   # vi /opt/etc/raddb/sites-enabled/inner-tunnel
   
   authenticate {
   .
   .
   # un-comment the ldap
    Auth-Type LDAP{
        ldap
    }
   .
   .
   }
   

7. Edit /opt/etc/raddb/clients.conf, add the Wifi Access Point to the config file.
   

   
# vi /opt/etc/raddb/clients.conf

   # add access point details here, 192.168.0.1 is the ip of the access point

   client 192.168.0.1 {
        secret = [shared secret password of radius server]
        shortname = [SSID of the access point]
        nastype = other
   }
   

8. If you have firewall activate on your diskstation, make sure to add a firewall rule to allow the wifi access point to access the udp port 1812, 1813 and 1814.

For now the radius server is already able to perform authentication for wpa/wpa2 enterprise!

Generate client certificate

If you do not plan to perform authorization using client certificate, you can skip this part.

1. SSH to DS as root
2. Edit /opt/etc/raddb/certs/client.cnf, refer to modding series 21 for details about this client certificate config file.

   ** IMPORTANT The Country Name, State and Organization Name MUST match the value of the CA.

3. Before we generate the client certificate, we MUST backup the original certificate first.
   

   
# cd /opt/etc/raddb
# cp -r certs certs.b4genclient


4. Generate a client certificate
   

   
# cd /opt/etc/raddb/certs
# make client.pem

5. If you want to generate another client certificate for other wifi client. Edit the client.cnf and run make client.pem again. If make failed and said it couldn’t load a certificate, just copy the server.crt from backup directory and try again.
   

   
# cp /opt/etc/raddb/certs.b4genclient/server.crt /opt/etc/raddb/certs
# make client.pem


Install and Setup Syslog-ng

#ipkg install syslog-ng

The glib and eventlog packages should be installed by ipkg as well. Backup syslog-ng configuration

#cd /opt/etc/syslog-ng #mv syslog-ng.conf syslog-ng.conf.bak Create configuration [...]]]> Since NAS is running 24×7, it is the best device to capture my tomato router logs.

Install and Setup Syslog-ng

1. Login to NAS using ssh/telnet as root
2. install syslog-ng

   #ipkg install syslog-ng

   The glib and eventlog packages should be installed by ipkg as well.

3. Backup syslog-ng configuration

   #cd /opt/etc/syslog-ng
   #mv syslog-ng.conf syslog-ng.conf.bak

4. Create configuration file

   # vi /opt/etc/syslog-ng.conf

   Below is my syslog-ng configuration to capture only the tomato router log

   
options { long_hostnames(off); sync(0); };

   source src{
   internal();
   udp(port(5140));
   };

   destination tomatolog { file("/opt/var/log/tomato.log"); };

   log {
source(src); destination(wrt54glog);
};


   I’m using 5140 udp port, change to your own preferred port.

5. Run the syslog-ng server

   # /opt/etc/init.d/S01syslog-ng start

6. If you have enabled the NAS firewall, you need to insert a firewall rule to allow the inbound logging traffic from the tomato router.

   Open a browser and go to the NAS control panel. Navigate to Control Panel / Firewall section. Click ‘Create’ button to create a new firewall rule.

   Ports:
   Custom Port Type: Destination port
   Protocol: UDP
   Ports: 5140

   Source IP
   IP address: [IP address of tomato router, i.e. 192.168.1.1]

   Action
   Allow

   

   

Setup Tomato Router

1. Open a browser and go to tomato admin page
2. Navigate to Administration / Logging page
3. Unclick the ‘Log Internally’
   Click the ‘Log To Remote System’
   Input the NAS IP address and syslog-ng port (which is 5140 defined in the syslog-ng.conf file)
   Choose the event(s) you want to capture.
   Input ’0′ in the limit textbox.
   Click ‘Save’ button.

   

The router log is configured to /opt/var/log/tomato.log.

Luckily, the Squid compiled by optware already include basic-auth-helper option during compilation, what we need [...]]]> In previous article I setup Squid and using a passwd file to hold password for squid. But now I have freeradius running, I want to integrate Squid with Freeradius so that I don’t need to maintain the passwd file.

Luckily, the Squid compiled by optware already include basic-auth-helper option during compilation, what we need to do is compile our own radius plugin.

Pre-requisites

• ipkg install make
• ipkg install gcc

Installation

1. SSH to NAS as root
2. cd /root
3. Download the plugin source from squid officail site

   # wget http://www.squid-cache.org/contrib/squid_radius_auth/squid_radius_auth-1.10.tar.gz

4. Unpack it

   # tar xvzf squid_radius_auth-1.10.tar.gz

5. # cd squid_radius_auth-1.10/
6. Build the plugin by typing make. (you need to install make if not already do so – ipkg install make)

   # make

7. The plugin squid_radius_auth binary will be created here

   /root/squid_radius_auth-1.10/squid_radius_auth

8. Move the plugin to better directory

   # mv /root/squid_radius_auth-1.10/squid_radius_auth /opt/libexec

9. Edit squid configuration

   # vi /opt/etc/squid/squid.conf

   Comment the ncsa_auth helper and add radius helper

   #auth_param basic program /opt/libexec/ncsa_auth /opt/etc/passwd
   auth_param basic program /opt/libexec/squid_radius_auth -f /opt/etc/squid/squid_radius_auth.conf

10. Create the plugin configuration file

    # vi /opt/etc/squid/squid_radius_auth.conf

    Add the two lines below

    server 127.0.0.1
    secret sharedsecret

    (change sharedsecret to your radius server shared secret password)

11. Restart Squid

    # /opt/etc/init.d/S80squid stop
    # /opt/etc/init.d/S80squid start

As well as openvpn, I also have squid integrated with freeradius and using openldap as the only password store.

Installing Disk Station

My hard disk is WD2003FYYS-02W0B. Firware: DSM 3.1-1613 (claimed to be the last firmware available for 207 model.)

The solution is redesigned so that the htaccess file is pushing from NAS to web hosting account. This greatly simplifed the overall process and resolved the deadlock situation.

I have a few private wordpress blog hosting on some web hosting provider and want to protect my private blog to be [...]]]>

Update Aug 22 2011

The solution is redesigned so that the htaccess file is pushing from NAS to web hosting account. This greatly simplifed the overall process and resolved the deadlock situation.

I have a few private wordpress blog hosting on some web hosting provider and want to protect my private blog to be accessible only by home dynamic ip address.

This require rewriting htaccess file on web hosting account for every ip changes.

This may not related to Synology, but I need the help of DS207+ in order to perform the job by some automated scripts.

Solution

Firstly, a perl script sync-htaccess.pl is required to host on the NAS.

The script will

1. Get External IP address of the NAS by calling the getip.php hosting on web hosting account
2. Read the htaccess template, find the line @@@DYNAMIC@@@ and replace the line with ‘allow from 1.2.3.4′ (where 1.2.3.4 is the external IP address returned by getip.php)
3. Write the actual .htaccess files to temporary directory.
4. Upload the actual .htaccess files to web hosting account by synchronizing the temporary directory to the web hosting account. (using rsync over ssh)

The reason I am using rsync over ssh instead of scp/sftp to upload files because rsync and ssh is already provided by Synology, no addition ipkg package is required.

So, go ahead to create the perl script to /opt/usr/local/bin/sync-htaccess.pl


#!/usr/bin/perl

# v0.4
# Aug 22 2011
# Modified to run at NAS instead of webhost
# v0.31
# May 15 2011
# Add timeout and retries flag to wget command to prevent infinite lookup
# v0.3
# May 14 2011
# host not returning ip address, using wget instead
# v0.2
# May 3 2011
# Fix the host command to query type A record only

$version="0.4";

print "Executing sync-htaccess.pl version=$version\n";

##################################
### configuration begin here ###

# define sub domain 1
$site1output="/opt/tmp/sync-htaccess/.htaccess";
$site1template = "/opt/etc/sync/blog_htaccess_template";

# if you have more sub domain, copy the two lines and paste here
#$siteXXXoutput = "/opt/tmp/sync-htaccess/XXX/.htaccess";
#$siteXXXtemplate = "/opt/etc/sync/xxx_htaccess_template";

$logfile = "/opt/var/log/rsync-htaccess.log";
$sshkey = "/volume1/private/id_rsa";
$sshport = "22";
$source = "/opt/tmp/sync-htaccess/";
$remote = "/home/account/public_html";

$getipurl = "http://www.mydomain/getip.php";
$accid = "account_id";
$accdomain= "mydomain.com";

### END of CONFIGURATION, DO NOT MODIFY BELOW ####
##################################################

# get ip address
$ip=`wget --timeout=10 --tries=1 -qO - $getipurl | sed 's/^ *\(.*\) *\$/\1/'`;

print "ip address $ip\n";

# write to output file, if you have more subdomain, duplicate the line below and modified the variables
writeHtaccess($ip,$site1template,$site1output);

# upload to webhosting
system("/usr/syno/bin/rsync -avz --log-file=$logfile -e 'ssh -i $sshkey -p $sshport' $source $accid\@$accdomain:$remote");

print "done\n";

sub writeHtaccess{
my ($myip,$mytemplate,$myhtaccess) = @_;

open(TEMPLATE, $mytemplate) || die("Could not open file!");
@raw_data=